Description:

This document describes how to configure the SSO Certificate Authorisation Agent to utilise:

• several rootCA certificates from the same CA
• several Certificate Authorities
• several Certificate Revocation Lists
  
  

Solution:

To do so please edit the SSO Certificate Authorisation Agent's configuration file CA_certtga.ini accordingly

Several rootCA certificates from the same CA

You can have specify a comma separated list of several rootCA certificates:

...
VerifyDepth=2
TrustedPath=\\DemoCorpDC\CertEnroll
TrustedNames=DemoCorpDC.DemoCorpDOM.ca.com_DemoCorpPKI(0-1).crt,DemoCorpDC.DemoCorpDOM.ca.com_DemoCorpPKI
(1).crt,DemoCorpDC.DemoCorpDOM.ca.com_DemoCorpPKI(1-0).crt,DemoCorpDC.DemoCorpDOM.ca.com_DemoCorpPKI(1-2).crt,DemoCorpDC.DemoCorpDOM.ca.com_DemoCorpPKI
(2).crt,DemoCorpDC.DemoCorpDOM.ca.com_DemoCorpPKI(2-1).crt,DemoCorpDC.DemoCorpDOM.ca.com_DemoCorpPKI(2-3).crt,DemoCorpDC.DemoCorpDOM.ca.com_DemoCorpPKI
(3).crt,DemoCorpDC.DemoCorpDOM.ca.com_DemoCorpPKI(3-2).crt,DemoCorpDC.DemoCorpDOM.ca.com_DemoCorpPKI.crt
...

Note:

The value for each parameter needs to be in one single line for each.

If you have intermediate CAs you may need to increase the VerifyDepth parameter accordingly.

Several Certificate Revocation Lists

...
[parameters]
RevocationMeth=CRL
...
[CRL1]
CrlFileName=ldap://ldap.box1.com:389/&...
CrlIssuerCert=C:\Program Files\CA\Certs\vrkqc.cer
[CRL2]
CrlFileName=ldap://ldap.box2.com:389/&...
CrlIssuerCert=C:\Program Files\CA\Certs\TEOPersonnelCA.cer
...

Several Certificate Authorities

...
[OCSP1]
TrustedPath=C:\
TrustedNames=certnew.cer
[OCSP2]
TrustedPath=
TrustedNames=
...

Note: It is possible to specify this even if there is no OCSP in place.